From: Ben Hutchings <ben@decadent.org.uk>
To: Greg KH <gregkh@suse.de>
Cc: linux-kernel@vger.kernel.org, stable@kernel.org,
Dan Rosenberg <drosenberg@vsecurity.com>,
Alex Elder <aelder@sgi.com>,
akpm@linux-foundation.org, torvalds@linux-foundation.org,
stable-review@kernel.org, alan@lxorguk.ukuu.org.uk
Subject: Re: [Stable-review] [18/71] xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
Date: Thu, 14 Apr 2011 04:50:22 +0100 [thread overview]
Message-ID: <1302753022.5282.678.camel@localhost> (raw)
In-Reply-To: <20110413161044.363600104@clark.kroah.org>
[-- Attachment #1: Type: text/plain, Size: 779 bytes --]
On Wed, 2011-04-13 at 09:09 -0700, Greg KH wrote:
> 2.6.33-longterm review patch. If anyone has any objections, please let us know.
>
> ------------------
>
> From: Dan Rosenberg <drosenberg@vsecurity.com>
>
> commit c4d0c3b097f7584772316ee4d64a09fe0e4ddfca upstream.
>
> The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to
> xfs_fs_geometry() with a version number of 3. This code path does not
> fill in the logsunit member of the passed xfs_fsop_geom_t, leading to
> the leaking of four bytes of uninitialized stack data to potentially
> unprivileged callers.
[...]
Needs a subsequent fix, like the corresponding bug fix in 2.6.32.37-rc1.
Ben.
--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]
next prev parent reply other threads:[~2011-04-14 3:50 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-13 16:11 [00/71] 2.6.33.10-longterm review Greg KH
2011-04-13 16:09 ` [01/71] ALSA: HDA: New AD1984A model for Dell Precision R5500 Greg KH
2011-04-13 16:09 ` [02/71] ALSA: hda - Fix SPDIF out regression on ALC889 Greg KH
2011-04-13 16:09 ` [03/71] ALSA: Fix yet another race in disconnection Greg KH
2011-04-13 16:09 ` [04/71] perf: Better fit max unprivileged mlock pages for tools needs Greg KH
2011-04-13 16:09 ` [05/71] myri10ge: fix rmmod crash Greg KH
2011-04-13 16:09 ` [06/71] cciss: fix lost command issue Greg KH
2011-04-13 16:09 ` [07/71] sound/oss/opl3: validate voice and channel indexes Greg KH
2011-04-13 16:09 ` [08/71] mac80211: initialize sta->last_rx in sta_info_alloc Greg KH
2011-04-13 16:09 ` [09/71] [SCSI] ses: show devices for enclosures with no page 7 Greg KH
2011-04-13 16:09 ` [10/71] [SCSI] ses: Avoid kernel panic when lun 0 is not mapped Greg KH
2011-04-13 16:09 ` [11/71] eCryptfs: Unlock page in write_begin error path Greg KH
2011-04-13 16:09 ` [12/71] eCryptfs: ecryptfs_keyring_auth_tok_for_sig() bug fix Greg KH
2011-04-13 16:09 ` [13/71] staging: usbip: bugfixes related to kthread conversion Greg KH
2011-04-13 16:09 ` [14/71] staging: usbip: bugfix add number of packets for isochronous frames Greg KH
2011-04-13 16:09 ` [15/71] staging: usbip: bugfix for isochronous packets and optimization Greg KH
2011-04-13 16:09 ` [16/71] staging: hv: use sync_bitops when interacting with the hypervisor Greg KH
2011-04-13 16:09 ` [17/71] Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo Greg KH
2011-04-13 16:09 ` [18/71] xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1 Greg KH
2011-04-14 3:50 ` Ben Hutchings [this message]
2011-04-13 16:09 ` [19/71] irda: validate peer name and attribute lengths Greg KH
2011-04-13 16:09 ` [20/71] irda: prevent heap corruption on invalid nickname Greg KH
2011-04-13 16:09 ` [21/71] nilfs2: fix data loss in mmap page write for hole blocks Greg KH
2011-04-13 16:09 ` [22/71] ASoC: Explicitly say registerless widgets have no register Greg KH
2011-04-13 16:09 ` [23/71] ALSA: ens1371: fix Creative Ectiva support Greg KH
2011-04-13 16:09 ` [24/71] ROSE: prevent heap corruption with bad facilities Greg KH
2011-04-13 16:09 ` [25/71] Btrfs: Fix uninitialized root flags for subvolumes Greg KH
2011-04-13 16:09 ` [26/71] x86, mtrr, pat: Fix one cpu getting out of sync during resume Greg KH
2011-04-13 16:09 ` [27/71] ath9k: fix a chip wakeup related crash in ath9k_start Greg KH
2011-04-13 16:09 ` [28/71] UBIFS: do not read flash unnecessarily Greg KH
2011-04-13 16:09 ` [29/71] UBIFS: fix oops on error path in read_pnode Greg KH
2011-04-13 16:09 ` [30/71] UBIFS: fix debugging failure in dbg_check_space_info Greg KH
2011-04-13 16:09 ` [31/71] quota: Dont write quota info in dquot_commit() Greg KH
2011-04-13 16:09 ` [32/71] mm: avoid wrapping vm_pgoff in mremap() Greg KH
2011-04-13 16:09 ` [33/71] p54usb: IDs for two new devices Greg KH
2011-04-13 16:09 ` [34/71] b43: allocate receive buffers big enough for max frame len + offset Greg KH
2011-04-13 16:09 ` [35/71] Bluetooth: sco: fix information leak to userspace Greg KH
2011-04-13 16:09 ` [36/71] bridge: netfilter: fix information leak Greg KH
2011-04-13 16:10 ` [37/71] Bluetooth: bnep: fix buffer overflow Greg KH
2011-04-13 16:10 ` [38/71] Bluetooth: add support for Apple MacBook Pro 8,2 Greg KH
2011-04-13 16:10 ` [39/71] Treat writes as new when holes span across page boundaries Greg KH
2011-04-13 16:10 ` [40/71] char/tpm: Fix unitialized usage of data buffer Greg KH
2011-04-13 16:10 ` [41/71] netfilter: ip_tables: fix infoleak to userspace Greg KH
2011-04-13 16:10 ` [42/71] netfilter: arp_tables: " Greg KH
2011-04-13 16:10 ` [43/71] netfilter: ipt_CLUSTERIP: fix buffer overflow Greg KH
2011-04-13 16:10 ` [44/71] ipv6: netfilter: ip6_tables: fix infoleak to userspace Greg KH
2011-04-13 16:10 ` [45/71] mfd: ab3100: world-writable debugfs *_priv files Greg KH
2011-04-13 16:10 ` [46/71] drivers/rtc/rtc-ds1511.c: world-writable sysfs nvram file Greg KH
2011-04-13 16:10 ` [47/71] drivers/misc/ep93xx_pwm.c: world-writable sysfs files Greg KH
2011-04-13 16:10 ` [48/71] econet: 4 byte infoleak to the network Greg KH
2011-04-13 16:10 ` [49/71] netfilter: h323: bug in parsing of ASN1 SEQOF field Greg KH
2011-04-13 16:10 ` [50/71] sound/oss: remove offset from load_patch callbacks Greg KH
2011-04-13 16:10 ` [51/71] sound: oss: midi_synth: check get_user() return value Greg KH
2011-04-13 16:10 ` [52/71] repair gdbstub to match the gdbserial protocol specification Greg KH
2011-04-13 16:10 ` [53/71] gro: Reset dev pointer on reuse Greg KH
2011-04-13 16:10 ` [54/71] gro: reset skb_iif " Greg KH
2011-04-13 16:10 ` [55/71] powerpc/kexec: Add ifdef CONFIG_PPC_STD_MMU_64 to PPC64 code Greg KH
2011-04-13 16:10 ` [56/71] powerpc: Fix default_machine_crash_shutdown #ifdef botch Greg KH
2011-04-13 16:10 ` [57/71] [PATCH] Revert "x86: Cleanup highmap after brk is concluded" Greg KH
2011-04-13 16:10 ` [58/71] Squashfs: handle corruption of directory structure Greg KH
2011-04-13 16:10 ` [59/71] atm/solos-pci: Dont include frame pseudo-header on transmit hex-dump Greg KH
2011-04-13 16:10 ` [60/71] net: ax25: fix information leak to userland Greg KH
2011-04-13 16:10 ` [61/71] net: packet: " Greg KH
2011-04-13 16:10 ` [62/71] ext4: fix credits computing for indirect mapped files Greg KH
2011-04-13 16:10 ` [63/71] nfsd: fix auth_domain reference leak on nlm operations Greg KH
2011-04-13 16:10 ` [64/71] net: tipc: fix information leak to userland Greg KH
2011-04-13 16:10 ` [65/71] inet_diag: Make sure we actually run the same bytecode we audited Greg KH
2011-04-13 16:10 ` [66/71] econet: Fix crash in aun_incoming() Greg KH
2011-04-13 16:10 ` [67/71] irda: prevent integer underflow in IRLMP_ENUMDEVICES Greg KH
2011-04-13 16:10 ` [68/71] CAN: Use inode instead of kernel address for /proc file Greg KH
2011-04-13 16:10 ` [69/71] exec: make argv/envp memory visible to oom-killer Greg KH
2011-04-13 16:10 ` [70/71] exec: copy-and-paste the fixes into compat_do_execve() paths Greg KH
2011-04-13 16:10 ` [71/71] net: fix rds_iovec page count overflow Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1302753022.5282.678.camel@localhost \
--to=ben@decadent.org.uk \
--cc=aelder@sgi.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=drosenberg@vsecurity.com \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).